Securing-Optimizing-RH-Linux-1_2_70
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
70
The last two parameters (10 and 60) are unused by the system so we dont need to change the
default ones.
You can usually put the above command in the /etc/rc.d/rc.local script file and avoid to type it
again the next time your system reboot. Look at /usr/src/linux/Documentation/sysctl/vm.txt for
more information on how to improve kernel parameters related to virtual memory.
4. The ip_local_port_range parameters
The ip_local_port_range /proc/sys/net/ipv4/ip_local_port_range defines the local port range that
is used by TCP and UDP traffics to choose the local port. You will see in the parameters of this
file two numbers: The first number is the first local port allowed for TCP and UDP traffic on the
server, the second is the last local port number. For high-usage systems you may change his
default parameters to 32768-61000 (first-last).
·
To change the values of ip_local_port_range, type the following on your terminal:
[root@deep /]# echo 32768 61000 > /proc/sys/net/ipv4/ip_local_port_range
Add the above commands to the /etc/rc.d/rc.local script file and youll not have to type it again
the next time if you reboot your system.
5. The /etc/nsswitch.conf file
The /etc/nsswitch.conf file is used to configure which services are to be used to determine
information such as hostnames, password files, and group files. The two last information
password files, and group files in our case are not used since we dont use NIS service in our
server. So we will focus on the hosts line in this file.
Edit the nsswitch.conf file (vi /etc/nsswitch.conf) and change the hosts line to read:
"hosts: dns files"
Which mean for programs that want to resolve an address to use dns feature first and after the
/etc/hosts file if the DNS servers are not available or cant resolve the address.
Also, we would recommend to delete all instances of NIS service from each line of this file unless
you are using NIS! The result must look like this:
passwd:
files
shadow:
files
group:
files
hosts:
dns files
bootparams:
files
ethers:
files
netmasks:
files
networks:
files
protocols:
files
rpc:
files
services:
files
automount:
files
aliases:
files
6. The file-max parameter